Install an LSC on a Phone with CUCM Cluster Security Mode set to Non-Secure

Similar documents
IP Phone Security and CTL (Certificate Trust List)

Cisco recommends that you have knowledge of these commonly used CUCM features:

Cisco CTL Client Setup

Cisco CTL Client setup

Encrypted Phone Configuration File Setup

CUCM Security By Default and ITL Operation and Troubleshooting

Encrypted Phone Configuration File Setup

Phone Security. Phone Security. This chapter provides information about phone security.

Using the Certificate Authority Proxy Function

Security by Default. Overview CHAPTER

Command or Action Step 1. Create and Configure Cisco Jabber Devices, on page 1

Default security setup

Certificate authority proxy function

Configuring Authentication and Encryption for CTI, JTAPI, and TAPI

The VPN menu and its options are not available in the U.S. export unrestricted version of Cisco Unified Communications Manager.

Default Security Setup

VPN Client. VPN Client Overview. VPN Client Prerequisites. VPN Client Configuration Task Flow. Before You Begin

Configure Voice and Video Communication

Command or Action Step 1. Create and Configure Cisco Jabber Devices, on page 1. Configure a SIP Trunk, on page 6

Manage Certificates. Certificates Overview

Configuration Example for Secure SIP Integration Between CUCM and CUC based on Next Generation Encryption (NGE)

Cisco IP Phone Security

Cisco IP Communicator Deployment Preparation

Post-Change Tasks and Verification

Secure External Phone Services Configuration Example

Voice-messaging ports security setup

Voice-Messaging Ports Security Setup

Cisco Unified IP Phone Settings

Cisco Desktop Collaboration Experience DX650 Security Overview

TLS Setup. TLS Overview. TLS Prerequisites

Unified Communication Cluster Setup with CA Signed Multi Server Subject Alternate Name Configuration Example

Preparing to Deploy Cisco IP Communicator

Enhancement in Security Certificate Management CUCM 11.x

Configuring the Cisco Phone Proxy

FIPS Mode Setup

Understanding Cisco Unified Communications Security

Migrate Phones Between Secure Clusters

IM and Presence Service Network Setup

Cisco Unified Communications Manager configuration for integration with IM and Presence Service

Configure Service Parameters

Security Guide for Cisco Unified Communications Manager, Release 11.5(1)

Security Certificate Configuration for XMPP Federation

Model Information, Status, and Statistics

Contents. Introduction

Troubleshooting Exchange Calendaring Integrations

High Level View of Certificates and Authorities in CUCM

Cisco TelePresence Endpoints and Cisco Unified Communications Manager

The information in this document is based on these software and hardware versions:

Configuring a Secure Survivable Remote Site Telephony (SRST) Reference

Managing Deployment. Understanding Deployment CHAPTER

Service Parameter Configuration

Contents. Introduction. Prerequisites. Requirements. Components Used

Managing Security Certificates in Cisco Unified Operating System

Configuring a Secure Survivable Remote Site Telephony (SRST) Reference

Troubleshooting Exchange Calendaring Integrations

Troubleshooting. General Troubleshooting Information

Setting Up a Cisco Unified Communications Manager SIP Trunk Integration, page 1

Fixing Issues with Corporate Directory Lookup from the Cisco IP Phone

Client services framework setup

Secure Survivable Remote Site Telephony (SRST) Reference

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Refer to Cisco Unified Communications Manager Security Guide for more details.

Statistics Available on the Phone, page 1 Statistics Available from the Phone Web Pages, page 8

Unified Communications Manager FAQ

Post-Installation Tasks for Cisco Unified Communications Manager

Cisco TelePresence Endpoints and Cisco Unified Communications Manager

4. Specifications and Additional Information

Configure Dual Stack IPv6

SAML-Based SSO Configuration

Autoregistration Configuration

Integrate Microsoft Office Communicator Client and Microsoft Lync Client for Cisco UC

Configure Push Notifications for Cisco Jabber on iphone and ipad

Configure Cisco IP Phones

Reestablishing a Broken CallManager Cluster SQL Subscription with Cisco CallManager

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Intercluster Peer Configuration

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

CIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1

Post-Installation Tasks

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Cisco Unified Communications Manager Security Guide Copyright 2010 Cisco Systems, Inc. All rights reserved.

UNH-IOL MIPI Alliance Test Program

Changing the IP Address and Hostname for Cisco Unified Communications Manager Release 8.6(1)

Implementing Core Cisco ASA Security (SASAC)

Viewing Security, Device, Model, Status, and Call Statistics Information on the Phone

Secure Call Recording

Unity Connection Version 10.5 SAML SSO Configuration Example

Cisco Unified Communications Manager Security Guide, Release 10.0(1)

Triple DES and AES 192/256 Implementation Notes

Changing the IP Address and Hostname for Cisco Unified Communications Manager Release 8.5(1)

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

Troubleshooting CMX Connectivity with WLC

Provision Cisco UC Integration for MicrosoftOffice Communicator client

Configuring Cisco Unified Presence for Integration with Microsoft Exchange Server

IM and Presence Service Configuration for SIP Federation

Push Notifications (On-Premises Deployments)

Cisco TelePresence Endpoints and Cisco Unified Communications Manager

Configuration of Microsoft Live Communications Server for Partitioned Intradomain Federation

Integrate Microsoft Office Communicator and Microsoft Lync Clients for Cisco UC

Troubleshooting Cisco Emergency Responder System and Administration Problems

Transcription:

Install an LSC on a Phone with CUCM Cluster Security Mode set to Non-Secure Contents Introduction Background Information Manufacturing Installed Certificates (MICs) versus Locally Significant Certificates (LSCs) Prerequisites Requirements Components Used Configure Network Topology Configurations Verify Troubleshoot Related Documents Introduction This document describes how to install a Locally Significant Certificate (LSC) on a phone without change to the default Cluster Security Mode setting. The Cluster Security Mode may remain Non- Secure. This may be done with all Cisco Unified Communications Manager (CUCM) versions that support Security by Default, versions CUCM 8.0(1) and later. In these versions of CUCM, Initial Trust List (ITL) files contain the certificate for the Certificate Authority Proxy Function (CAPF) service on the CUCM Publisher. This allows phones to connect to the CAPF service to support certificate operations such as Install/Upgrade and Troubleshoot. In previous versions of CUCM, it was necessary to configure the cluster for Mixed Mode in order to support certificate operations. As this is no longer necessary, this reduces barriers to the use of LSCs as phone identity certificates for 802.1X authentication or for AnyConnect VPN client authentication. Contributed by Adam O Toole, Cisco TAC Engineer. Background Information Manufacturing Installed Certificates (MICs) versus Locally Significant Certificates (LSCs) If you use certificate based authentication for 802.1X or Anyconnect Phone VPN, It is important to understand the difference between Manufacturing Installed Certificates (MICs) and Locally Significant Certificates (LSCs).

Every Cisco phone comes with a MIC pre-installed at the factory. This certificate is signed by one of the Cisco Manufacturing CA certificates, either by the Cisco Manufacturing CA, Cisco Manufacturing CA SHA2, CAP-RTP-001 or CAP-RTP-002 certificate. When the phone presents this certificate, it proves that it is a valid Cisco phone, but this does not validate that the phone belongs to a specific customer or CUCM cluster. It could potentially be a rogue phone purchased on the open market or brought over from a different site. Locally Significant Certificates, on the other hand, are intentionally installed on phones by an administrator, and are signed by the CUCM Publisher's CAPF certificate. You would configure 802.1X or Anyconnect VPN to only trust LSCs issued by known CAPF certificate authorities. Basing certificate authentication on LSCs instead of MICs provides you with much more granular control over which phone devices are trusted. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: CUCM Cluster Security Mode options X.509 certificates Manufacturing Installed Certificates (MICs) Locally Significant Certificates (LSCs) CAPF certificate operations Security by Default Initial Trust List (ITL) files Components Used This document pertains only to CUCM versions that support Security by Default, namely CUCM 8.0(1) and above. It also only pertains to phones that support Security by Default. For example, the 7940 and 7960 phones do not support Security by Default, nor do the 7935, 7936 and 7937 conference phones. For a list of devices that support Security by Default in your version of CUCM, navigate to Cisco Unified Reporting > System Reports > Unified CM Phone Feature List and run a report on Feature: Security By Default. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Configure Network Topology The follow CUCM lab servers were used for this document. ao115pub - 10.122.138.102 - CUCM Publisher & TFTP server

ao115sub - 10.122.138.103 - CUCM Subscriber & TFTP server Configurations Verify that the Cluster Security Mode is currently set to Non-Secure. Navigate to Cisco Unified CM Administration > System > Enterprise Parameters > Security Parameters > Cluster Security Mode and verify that the Cluster Security Mode is set to 0 for Non-Secure. Note: If it is set to 1 for Mixed Mode, your cluster is in mixed mode and the procedure in this document still applies. Navigate to Cisco Unified Serviceability > Tools > Service Activation > CUCM Publisher > Security Services and verify that the Cisco Certificate Authority Proxy Function (CAPF) service is currently deactivated.

Verify that the CAPF certificate has not expired, nor is about to expire in the near future. Navigate to Cisco Unified OS Administration > Security > Certificate Management, then Find Certificate List where Certificate is exactly CAPF. Click on the Common Name to open the Certificate Details page. Inspect the Validity From: and To: dates in the Certificate File Data pane to determine when the certificate expires.

If the CAPF certificate has expired, or is soon to expire, regenerate that certificate before proceed. This avoids the need to reissue LSCs in the near future due to CAPF certificate expiration. For information about how to regenerate the CAPF certificate, please see the CUCM Certificate Regeneration/Renewal Process article. Similarly, if you need to have your CAPF certificate signed by a third party Certificate Authority, you have a choice to make at this stage. Either complete the Certificate Signing Request file generation and importation of the signed CAPF certificate now, or continue the configuration with a self-signed LSC for preliminary test. Should you need a third party signed CAPF certificate, it is generally prudent to configure this feature first with a self-signed CAPF certificate, test and verify, and then redeploy LSCs that are signed by a third party signed CAPF certificate. This simplifies

later troubleshooting should tests with the third party signed CAPF certificate fail. Warning: If you regenerate the CAPF certificate or import a third-party signed CAPF certificate while the CAPF service is activated and started, phones are automatically reset by CUCM. Complete these procedures in a maintenance window when it is acceptable for phones to be reset. For reference, please see CSCue55353 - Add warning when regenerating TVS/CCM/CAPF certificate that phones reset. Run the show itl command on all TFTP servers in the CUCM cluster. Observe that the ITL file does not currently contain a CAPF certificate. For example, here is an excerpt of the show itl output from the lab CUCM Subscriber ao115sub. Note that there is no ITL Record entry in this file with a FUNCTION of CAPF. ITL Record #:1 1 RECORDLENGTH 2 717 3 SUBJECTNAME 59 CN=ao115pub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 TVS 5 ISSUERNAME 59 CN=ao115pub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 6B:99:31:15:D1:55:5E:75:9C:42:8A:CE:F2:7E:EA:E8 11 CERTHASH 20 05 9A DE 20 14 55 23 2D 08 20 31 4E B5 9C E9 FE BD 2D 55 87 12 HASH ALGORITHM 1 null ITL Record #:2 1 RECORDLENGTH 2 1680 3 SUBJECTNAME 71 CN=ITLRECOVERY_ao115pub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 System Administrator Security Token 5 ISSUERNAME 71 CN=ITLRECOVERY_ao115pub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 51:BB:2F:1C:EE:80:02:16:62:69:51:9A:14:F6:03:7E 9 CERTIFICATE 963 DF 98 C1 DB E0 61 02 1C 10 18 D8 BA F7 1B 2C AB 4C F8 C9 D5 (SHA1 Hash HEX) This etoken was not used to sign the ITL file. ITL Record #:3 1 RECORDLENGTH 2 717 3 SUBJECTNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 TVS 5 ISSUERNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 65:E5:10:72:E7:F8:77:DA:F1:34:D5:E3:5A:E0:17:41 11 CERTHASH 20 00 44 54 42 B4 8B 26 24 F3 64 3E 57 8D 0E 5F B0 8B 79 3B BF 12 HASH ALGORITHM 1 null

ITL Record #:4 1 RECORDLENGTH 2 1652 3 SUBJECTNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 System Administrator Security Token 5 ISSUERNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 48:F7:D2:F3:A2:66:37:F2:DD:DF:C4:7C:E6:B9:CD:44 9 CERTIFICATE 959 20 BD 40 75 51 C0 61 5C 14 0D 6C DB 79 E5 9E 5A DF DC 6D 8B (SHA1 Hash HEX) This etoken was used to sign the ITL file. ITL Record #:5 1 RECORDLENGTH 2 1652 3 SUBJECTNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 TFTP 5 ISSUERNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 48:F7:D2:F3:A2:66:37:F2:DD:DF:C4:7C:E6:B9:CD:44 9 CERTIFICATE 959 20 BD 40 75 51 C0 61 5C 14 0D 6C DB 79 E5 9E 5A DF DC 6D 8B (SHA1 Hash HEX) ITL Record #:6 1 RECORDLENGTH 2 1031 2 DNSNAME 9 ao115sub 3 SUBJECTNAME 62 CN=ao115sub-EC;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 TFTP 5 ISSUERNAME 62 CN=ao115sub-EC;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 53:CC:1D:87:BA:6A:28:BD:DA:22:B2:49:56:8B:51:6C 7 PUBLICKEY 97 8 SIGNATURE 103 9 CERTIFICATE 651 E0 CF 8A B3 4F 79 CE 93 03 72 C3 7A 3F CF AE C3 3E DE 64 C5 (SHA1 Hash HEX) The ITL file was verified successfully. Navigate to Cisco Unified Serviceability > Tools > Service Activation > CUCM Publisher > Security, then activate the Cisco Certificate Authority Proxy Function on the CUCM Publisher. This service only runs on the Publisher.

Navigate to Cisco Unified Serviceability > Tools > Control Center Feature Services > Server > CM Services, then restart the Cisco Tftp service on all TFTP servers in the CUCM cluster to regenerate the ITL file. Run the show itl command on all TFTP servers in the CUCM cluster to verify that the current CUCM Publisher CAPF certificate is now included in the file. In our example, the show itl output from the lab CUCM Subscriber ao115sub now includes an ITL Record entry for the ao115pub CAPF certificate. The CN and serial number listed match the current CAPF certificate. ITL Record #:1 1 RECORDLENGTH 2 727 3 SUBJECTNAME 64 CN=CAPF-7f0ae8d7;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 CAPF 5 ISSUERNAME 64 CN=CAPF-7f0ae8d7;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 64:F2:FE:61:3B:79:C5:D3:62:E2:6D:AB:4A:8B:76:1B 11 CERTHASH 20 C3 E6 97 D0 8A E1 0B F2 31 EC ED 20 EC C5 BC 0F 83 BC BC 5E 12 HASH ALGORITHM 1 null ITL Record #:2

1 RECORDLENGTH 2 717 3 SUBJECTNAME 59 CN=ao115pub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 TVS 5 ISSUERNAME 59 CN=ao115pub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 6B:99:31:15:D1:55:5E:75:9C:42:8A:CE:F2:7E:EA:E8 11 CERTHASH 20 05 9A DE 20 14 55 23 2D 08 20 31 4E B5 9C E9 FE BD 2D 55 87 12 HASH ALGORITHM 1 null ITL Record #:3 1 RECORDLENGTH 2 1680 3 SUBJECTNAME 71 CN=ITLRECOVERY_ao115pub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 System Administrator Security Token 5 ISSUERNAME 71 CN=ITLRECOVERY_ao115pub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 51:BB:2F:1C:EE:80:02:16:62:69:51:9A:14:F6:03:7E 9 CERTIFICATE 963 DF 98 C1 DB E0 61 02 1C 10 18 D8 BA F7 1B 2C AB 4C F8 C9 D5 (SHA1 Hash HEX) This etoken was not used to sign the ITL file. ITL Record #:4 1 RECORDLENGTH 2 717 3 SUBJECTNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 TVS 5 ISSUERNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 65:E5:10:72:E7:F8:77:DA:F1:34:D5:E3:5A:E0:17:41 11 CERTHASH 20 00 44 54 42 B4 8B 26 24 F3 64 3E 57 8D 0E 5F B0 8B 79 3B BF 12 HASH ALGORITHM 1 null ITL Record #:5 1 RECORDLENGTH 2 1652 3 SUBJECTNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 System Administrator Security Token 5 ISSUERNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 48:F7:D2:F3:A2:66:37:F2:DD:DF:C4:7C:E6:B9:CD:44 9 CERTIFICATE 959 20 BD 40 75 51 C0 61 5C 14 0D 6C DB 79 E5 9E 5A DF DC 6D 8B (SHA1 Hash HEX) This etoken was used to sign the ITL file. ITL Record #:6 1 RECORDLENGTH 2 1652

3 SUBJECTNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 TFTP 5 ISSUERNAME 59 CN=ao115sub;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 48:F7:D2:F3:A2:66:37:F2:DD:DF:C4:7C:E6:B9:CD:44 9 CERTIFICATE 959 20 BD 40 75 51 C0 61 5C 14 0D 6C DB 79 E5 9E 5A DF DC 6D 8B (SHA1 Hash HEX) ITL Record #:7 1 RECORDLENGTH 2 1031 2 DNSNAME 9 ao115sub 3 SUBJECTNAME 62 CN=ao115sub-EC;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 4 FUNCTION 2 TFTP 5 ISSUERNAME 62 CN=ao115sub-EC;OU=TAC;O=Cisco Systems;L=Boxborough;ST=MA;C=US 6 SERIALNUMBER 16 53:CC:1D:87:BA:6A:28:BD:DA:22:B2:49:56:8B:51:6C 7 PUBLICKEY 97 8 SIGNATURE 103 9 CERTIFICATE 651 E0 CF 8A B3 4F 79 CE 93 03 72 C3 7A 3F CF AE C3 3E DE 64 C5 (SHA1 Hash HEX) The ITL file was verified successfully. Now, you may complete a certificate operation on a phone. In this example, you install a 2048 bit RSA certificate with use of By Null String authentication. On the phone, verify that an LSC is not yet installed. For example, on a 7900 series phone, navigate to Settings > 4 - Security Configuration > 4 - LSC. Open the phone configuration page for your phone from Cisco Unified CM Administration > Device > Phone. Navigate to the Certification Authority Proxy Function (CAPF) Information section of the phone s configuration. For Certificate Operation, select Install/Upgrade For Authentication Mode, select By Null String For this example, leave the Key Order, RSA Key Size (Bits) and EC Key Size (Bits) set to the system defaults.

For Operation Completes By, enter a date and time that is at least one hour in to the future. Save your configuration changes, then Apply Config. The LSC status on the phone changes to Pending. The phone generates keys.

The phone resets, and when the reset completes, the phone LSC status changes to Installed. This is also visible under Status Messages in the phone.

Verify To verify LSC certificate installation on multiple phones, please see the Generate CAPF Report section of Security Guide for Cisco Unified Communications Manager, Release 11.0(1). Alternatively, you may view the same data win the CUCM Administration web interface by use of the Find Phones by LSC Status or Authentication String procedure. To obtain copies of the LSC certificates installed in phones, please see the How to retrieve certificates from Cisco IP phonesarticle. Troubleshoot The LSC fails to install. The phone s Status Messages show "No valid CAPF server". This indicates that there is no CAPF entry in the ITL file. Verify that the CAPF service was activated, and then restart the TFTP Service. Verify that the ITL file contains a CAPF certificate after the restart, reset the phone to pick up the latest ITL file, and then retry your certificate operation. The LSC fails to install. The phone s Status Messages show "LSC: Connection Failed". This may indicate one of the follow conditions: A mismatch between the CAPF certificate in ITL file and the current certificate the CAPF service is using. The CAPF service is stopped or deactivated. The phone cannot reach the CAPF service over the network. Verify the CAPF service is activated, restart the CAPF service, restart TFTP services clusterwide, reset the phone to pick up the latest ITL file, and then retry your certificate operation. If the problem persists, take a packet capture from the phone and the CUCM Publisher, and analyze to see if there is bidirectional communication on port 3804, the default CAPF service port. If not, there may be a network issue. The LSC fails to install. The phone s Status Messages show "LSC: Failed". The Phone Configuration web page shows "Certificate Operation Status: Upgrade Failed: User Initiated Request Late/Timedout". This indicates that the Operation Completes By time and date have expired or are in the past. Enter a date and time that is at least one hour in to the future, and then retry your certificate operation. Related Documents The follow documents provide more information on the use of Locally Significant Certificates in the context of for AnyConnect VPN client authentication and 802.1X authentication. AnyConnect VPN Phone - IP Phones, ASA, and CUCM Troubleshooting Identity-Based Networking Services: IP Telephony In IEEE 802.1X-Enabled Networks Deployment and Configuration Guide There is also an advanced type of LSC configuration, in which the LSC certificates are signed directly by a third party Certificate Authority, not the CAPF certificate. For details, please see:

CUCM Third-Party CA-Signed LSCs Generation and Import Configuration Example

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback